securevpn-xyz-http-hooks 1.3.3

data/lib/option/i2p.rb

@@ -0,0 +1,28 @@
+module Option
+  class I2p < Base
+    def activate!
+      add_firewall_routes
+    end
+
+    def deactivate!
+      remove_firewall_routes
+    end
+
+    private
+
+    def add_firewall_routes
+      system "/sbin/iptables -t filter -D INPUT -p tcp -m tcp --dport 8118 -j DROP"
+      system "/sbin/iptables -t filter -A INPUT -s #{virtual_ip} -p tcp -m tcp --dport 8118 -j ACCEPT"
+      system "/sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport 8118 -j DROP"
+      system "/sbin/iptables -t nat -A PREROUTING -p udp -m udp -s #{virtual_ip} --dport 53 -j DNAT --to-destination #{server_virtual_ip}:53"
+      system "/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp -s #{virtual_ip} --dport 53 -j DNAT --to-destination #{server_virtual_ip}:53"
+      true
+    end
+
+    def remove_firewall_routes
+      system "/sbin/iptables -D INPUT -s #{virtual_ip} -p tcp -m tcp --dport 8118 -j ACCEPT"
+      system "/sbin/iptables -t nat -D PREROUTING -p udp -m udp -s #{virtual_ip} --dport 53 -j DNAT --to-destination #{server_virtual_ip}:53"
+      system "/sbin/iptables -t nat -D PREROUTING -p tcp -m tcp -s #{virtual_ip} --dport 53 -j DNAT --to-destination #{server_virtual_ip}:53"
+    end
+  end
+end

data/lib/option/proxy.rb

@@ -0,0 +1,66 @@
+module Option
+  class Proxy < Base
+    def activate!
+      relay_port = start_proxy_daemon
+      add_firewall_rules(relay_port)
+    end
+
+    def deactivate!
+      relay_port = relay_manager.free(virtual_ip)
+      remove_firewall_rules(relay_port)
+      kill_proxy_daemon(relay_port)
+    end
+
+    private
+
+      def start_proxy_daemon
+        relay_port = relay_manager.next_available_port
+        relay_manager.lock(virtual_ip, relay_port)
+        system "/etc/openvpn/any_proxy -l :#{relay_port} -p '#{attributes['host']}:#{attributes['port']}' &"
+        relay_port
+      end
+
+      def add_firewall_rules(relay_port)
+        system "iptables -A PREROUTING -t nat -s #{virtual_ip}/32 -p tcp --dport 80 -j REDIRECT --to-port #{relay_port}"
+        true
+      end
+
+      def kill_proxy_daemon(relay_port)
+        pids = `ps -ef | grep #{relay_port} | awk '{ print $2 }'`
+        relay_pid = pids.split( /\r?\n/ ).first
+        `kill #{relay_pid} &`
+        true
+      end
+
+      def remove_firewall_rules(relay_port)
+        system "iptables -D PREROUTING -t nat -s #{virtual_ip}/32 -p tcp --dport 80 -j REDIRECT --to-port #{relay_port}"
+      end
+
+      def relay_manager
+        RelayManager.new
+      end
+
+      class RelayManager
+        RELAY_PORTS = [8090, 8091, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8099, 8010]
+        STATUS_FILE = '/etc/openvpn/relays.txt'
+
+        def lock(host, port)
+          File.open(STATUS_FILE, 'a') { |f| f.puts("#{host} #{port} ") }
+        end
+
+        def free(host)
+          list = File.readlines(STATUS_FILE).map { |l| l.split(' ') }
+          port = list.find { |e| e[0] == host }[1]
+          updated_list = list.reject { |e| e[0] == host }.join()
+          File.open(STATUS_FILE, 'w') { |file| file.write(updated_list) }
+          port
+        end
+
+        def next_available_port
+          used_ports = File.readlines(STATUS_FILE).map { |l| l.split(' ')[1] }
+          available_ports = RELAY_PORTS - used_ports
+          available_ports.sample
+        end
+      end
+  end
+end

data/lib/option/repository.rb

@@ -0,0 +1,18 @@
+module Option
+  class Repository
+    class << self
+      def find_by_code(code)
+        index[code.to_s] || raise(OptionNotFound)
+      end
+
+      private
+
+      def index
+        @index ||= {
+          'i2p'   => Option::I2p,
+          'proxy' => Option::Proxy
+        }
+      end
+    end
+  end
+end

data/lib/signer.rb

@@ -0,0 +1,7 @@
+require 'digest/md5'
+
+class Signer
+  def self.sign_hash(hash, key)
+    Digest::MD5.hexdigest("#{hash.values.sort.join}#{key}")
+  end
+end

data/lib/system/openvpn_status.rb

@@ -0,0 +1,19 @@
+module System
+  class OpenvpnStatus
+    attr_accessor :clients_list
+
+    class << self
+      def current_virtual_address
+        ENV['ifconfig_pool_remote_ip']
+      end
+
+      def server_virtual_address
+        ENV['ifconfig_local']
+      end
+    end
+
+    def initialize
+      @clients_list = {}
+    end
+  end
+end

data/lib/system/openvpn_status_log_parser.rb

@@ -0,0 +1,30 @@
+module System
+  class OpenvpnStatusLogParser
+    attr_accessor :status, :clients_block, :text
+
+    def initialize(text)
+      @status = System::OpenvpnStatus.new
+      @clients_block = false
+      @text = text
+      parse
+    end
+
+    def parse
+      @text.lines.each do |line|
+        line_tokens = line.strip.split(',')
+        parse_client_virtual_ips(line_tokens)
+      end
+    end
+
+    private
+
+    def parse_client_virtual_ips(tokens)
+      @clients_block = false if tokens[0] == 'GLOBAL STATS'
+      if clients_block
+        common_name, ip_address = tokens[1], tokens[0]
+        @status.clients_list[common_name] = ip_address
+      end
+      @clients_block = true if tokens[0] == 'Virtual Address'
+    end
+  end
+end

data/lib/system/openvpn_status_log_reader.rb

@@ -0,0 +1,29 @@
+module System
+  class OpenvpnStatusLogReader
+    LOGFILE_PATH = '/etc/openvpn/openvpn-status.log'
+
+    attr_accessor :log_content
+
+    class << self
+      def vpn_ip(common_name)
+        reader = new
+        reader.vpn_ip_for common_name
+      end
+    end
+
+    def initialize
+      read_logfile
+    end
+
+    def vpn_ip_for(common_name)
+      status = System::OpenvpnStatusLogParser.new(log_content).status
+      status.clients_list[common_name]
+    end
+
+    private
+
+    def read_logfile
+      @log_content = File.read(LOGFILE_PATH)
+    end
+  end
+end

data/openvpn-http-hooks.gemspec

@@ -0,0 +1,16 @@
+Gem::Specification.new do |s|
+  s.name        = 'securevpn-xyz-http-hooks'
+  s.version     = '1.3.3'
+  s.date        = '2014-04-27'
+  s.summary     = "HTTP hooks for OpenVPN server on securevpn.xyz"
+  s.description = "Trigger on openvpn events and notify HTTP API for securevpn.xyz"
+  s.authors     = ["Victor Ivanov at securevpn.xyz"]
+  s.email       = 'admin@securevpn.xyz'
+  s.files       = `git ls-files`.split($/)
+  s.homepage    = 'https://securevpn.xyz'
+  s.executables = ['openvpn-activate', 'openvpn-authenticate', 'openvpn-connect', 'openvpn-disconnect']
+
+  s.add_development_dependency 'rspec', ['>= 0']
+  s.add_development_dependency 'mocha'
+  s.add_development_dependency 'webmock'
+end

data/spec/fixtures/active_connections.txt

@@ -0,0 +1,10 @@
+OpenVPN CLIENT LIST
+Updated,Fri Jun  6 16:42:48 2014
+Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
+e0c187715fa9e1bb9fd96882dfa7af22,5.57.222.68:52248,294554,526171,Fri Jun  6 16:42:02 2014
+ROUTING TABLE
+Virtual Address,Common Name,Real Address,Last Ref
+10.77.2.6,e0c187715fa9e1bb9fd96882dfa7af22,5.57.222.68:52248,Fri Jun  6 16:42:47 2014
+GLOBAL STATS
+Max bcast/mcast queue length,0
+END

data/spec/fixtures/multiple_connections.txt

@@ -0,0 +1,11 @@
+OpenVPN CLIENT LIST
+Updated,Fri Jun  6 16:42:48 2014
+Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
+e0c187715fa9e1bb9fd96882dfa7af22,5.57.222.68:52248,294554,526171,Fri Jun  6 16:42:02 2014
+ROUTING TABLE
+Virtual Address,Common Name,Real Address,Last Ref
+10.77.2.6,login1,5.57.222.68:52248,Fri Jun  6 16:42:47 2014
+10.77.2.5,login2,5.57.222.68:52248,Fri Jun  6 16:42:47 2014
+GLOBAL STATS
+Max bcast/mcast queue length,0
+END

data/spec/lib/api/activation_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+describe Api::Activation do
+  subject { described_class.new }
+
+  describe '.activate' do
+    context 'successful activation' do
+      before do
+        stub_request(:post, 'api.securevpn.xyz/api/activate')
+      end
+
+      it 'saves key' do
+        subject.expects(:save_auth_key)
+        subject.activate
+      end
+    end
+
+    context 'not successful activation' do
+      before do
+        stub_request(:post, 'api.securevpn.xyz/api/activate').to_return(status: '404')
+      end
+
+      it 'raises error' do
+        expect {
+          subject.activate
+        }.to raise_error
+      end
+    end
+  end
+end

data/spec/lib/api/authentication_spec.rb

@@ -0,0 +1,29 @@
+require 'spec_helper'
+
+describe Api::Authentication do
+  subject { described_class.new('login', 'password') }
+
+  describe '.valid_credentials?' do
+    before do
+      subject.stubs(:auth_key).returns('key')
+      stub_request(:post, 'api.securevpn.xyz/api/auth').
+        to_return(status: status)
+    end
+
+    context 'status 200' do
+      let(:status) { 200 }
+
+      it 'returns true' do
+        expect(subject.valid_credentials?).to be_true
+      end
+    end
+
+    context 'status 404' do
+      let(:status) { 404 }
+
+      it 'returns false' do
+        expect(subject.valid_credentials?).to be_false
+      end
+    end
+  end
+end

data/spec/lib/api/billing_spec.rb

@@ -0,0 +1,71 @@
+require 'spec_helper'
+
+describe Api::Billing do
+  subject { described_class.new }
+
+  it "returns api url" do
+    expect(subject.host_with_port).to include "http://"
+  end
+
+  it "reads file with auth key" do
+    File.stubs(:read).with(described_class::KEY_PATH).returns("key")
+    expect(subject.auth_key).to eq "key"
+  end
+
+  it "returns machine hostname" do
+    Socket.stubs(:gethostname).returns("hostname.dev")
+    expect(subject.hostname).to eq "hostname.dev"
+  end
+
+  describe ".success_api_call?" do
+    let(:api_call_result) { mock() }
+
+    before do
+      api_call_result.stubs(:code).returns(code)
+      subject.stubs(:api_call_result).returns(api_call_result)
+    end
+
+    context "result is 404" do
+      let(:code) { "404" }
+
+      it "api call is not successful" do
+        expect(subject.success_api_call?).to be_false
+      end
+    end
+
+    context "result is 200" do
+      let(:code) { "200" }
+
+      it "api call is successful" do
+        expect(subject.success_api_call?).to be_true
+      end
+    end
+  end
+
+  describe ".api_call_result" do
+    before do
+      stub_request(:post, 'api.securevpn.xyz/api/auth')
+    end
+
+    it "fetches HTTP response" do
+      subject.stubs(:action).returns("auth")
+      subject.stubs(:data).returns({})
+      subject.stubs(:auth_key).returns("key")
+
+      subject.api_call_result
+      expect(subject.success_api_call?).to be_true
+    end
+  end
+
+  it "returns URI for api call" do
+    action = "auth"
+    subject.stubs(:action).returns(action)
+    expect(subject.uri).to eq URI("http://#{described_class::API_HOST}/api/#{action}")
+  end
+
+  it "adds signature to params hash" do
+    subject.stubs(:auth_key).returns("key")
+    subject.stubs(:data).returns({})
+    expect(subject.signed_data).not_to be_empty
+  end
+end

data/spec/lib/api/connect_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+
+describe Api::Connect do
+  subject { described_class.new }
+
+  describe '#invoke' do
+    before do
+      subject.stubs(:response).returns(
+        JSON.parse(
+          '{"id":101,"common_name":"login","options":["i2p", "proxy"],"option_attributes":{"i2p":{"attr1": "value1"},"proxy":{"attr2": "value2"}}}'
+        )
+      )
+      subject.stubs(:trigger_script_return)
+      subject.stubs(:success_api_call?).returns(api_call_validation_result)
+    end
+
+    context 'successfull script call' do
+      let(:api_call_validation_result) { true }
+
+      it 'activates options' do
+        Option::I2p.any_instance.expects(:activate!)
+        Option::Proxy.any_instance.expects(:activate!)
+        subject.invoke
+      end
+    end
+
+    context 'unsuccessfull call' do
+      let(:api_call_validation_result) { false }
+
+      it 'does not activate options' do
+        Option::I2p.any_instance.expects(:activate!).never
+        subject.invoke
+      end
+    end
+  end
+
+  it 'represents connect action' do
+    expect(subject.action).to eq 'connect'
+  end
+end

data/spec/lib/api/connection_spec.rb

@@ -0,0 +1,59 @@
+require 'spec_helper'
+
+describe Api::Connection do
+  subject { described_class.new }
+
+  describe '.invoke_if_valid_api_call' do
+    before do
+      subject.stubs(:success_api_call?).returns(success_status)
+      subject.expects(:exit).with(exit_status)
+    end
+
+    context 'success' do
+      let(:success_status) { true }
+      let(:exit_status) { 0 }
+
+      it 'exits with zero status' do
+        subject.invoke_if_valid_api_call { "empty block" }
+      end
+    end
+
+    context 'failure' do
+      let(:success_status) { false }
+      let(:exit_status) { 1 }
+
+      it 'exits with non zero status' do
+        subject.invoke_if_valid_api_call
+      end
+    end
+  end
+
+  describe 'attributes' do
+    let(:option_name) { "i2p" }
+    let(:common_name) { "login" }
+
+    before do
+      subject.stubs(:response).returns(
+        JSON.parse(
+          "{\"id\":101,\"common_name\":\"#{common_name}\",\"options\":[\"#{option_name}\", \"proxy\"],\"option_attributes\":{\"i2p\":{\"attr1\": \"value1\"},\"proxy\":{\"attr2\": \"value2\"}}}"
+        )
+      )
+    end
+
+    describe '.options' do
+      it 'returns options array' do
+        expect(subject.options.class).to eq Hash
+      end
+
+      it 'includes option name' do
+        expect(subject.options['i2p'][:option_class]).to eq Option::I2p
+      end
+    end
+
+    describe '.common_name' do
+      it 'returns common name' do
+        expect(subject.common_name).to eq common_name
+      end
+    end
+  end
+end